The Digital Markets Act (DMA) is a European Union regulation that targets large digital platforms acting as “gatekeepers” — typically tech giants that dominate certain digital markets. The DMA seeks to ensure fair competition by imposing restrictions on these gatekeepers, including prohibiting practices such as self-preferencing, locking users into ecosystems, and unfair use of business users' data. It complements the Digital Services Act (DSA) and came into force in May 2023, with compliance required from March 2024.
If your business operates online in the EU or targets EU users, understanding the DMA is critical — even if you are not a gatekeeper. Gatekeepers are companies with a significant impact on the internal market. But smaller companies may also be affected, especially if they interact with or rely on gatekeeper platforms. Compliance may involve changes in interoperability, access to data, advertising transparency, and user consent practices.
Businesses must ensure that users make informed choices freely and without coercion, aligning consent practices with GDPR standards. A central concept of the DMA is requiring explicit user consent for data processing, particularly when personal data is combined across services. Simply bundling consent into general terms and conditions or using manipulative design (known as “dark patterns”) is no longer acceptable under the DMA.
To ensure compliance with the DMA, businesses should:
Determine DMA role:
Identify whether they qualify as a “gatekeeper” under the DMA criteria.
Review data practices:
Review how data is collected, processed, and combined across platforms.
Update consent mechanisms:
Update consent mechanisms to ensure users are informed and consent is freely given.
Review policies:
Audit contracts, platform rules, and algorithmic transparency policies.
Document for compliance:
Prepare for and maintain comprehensive documentation to demonstrate compliance.
The DMA primarily applies to digital platforms designated as gatekeepers by the European Commission. A gatekeeper typically:
Has an annual EU turnover of at least 7.5 billion EUR, or a market value of at least €75 billion
Provides core platform services (like search engines, app stores, social networks, etc.) to over 45 million monthly EU users
Operates in at least three EU member states
However, non-gatekeeper businesses must still adjust to the rules imposed on gatekeepers, especially if they use or depend on those platforms. Therefore, awareness and indirect compliance are necessary for many digital businesses.
The EU AI Act intersects with data privacy laws like GDPR and thus confers a number of data privacy rights to consumers, including:
Consumers must give specific, informed and unambiguous consent without any manipulative tactics and have the right to withdraw consent at any time
Consumers must be able to easily transfer their data to other services and know that there is interoperability between them
Gatekeepers may not self-preference their own services and products and must allow users to uninstall pre-installed apps that are part of gatekeepers’ platforms
Consumers are allowed to complain about any non-compliance by gatekeepers
Consumers have a right to know how their data is collected, used and shared.
Cookie consent practices are particularly key under the DMA, as the Act aims to prevent gatekeepers from using cookies to combine user data across services or platforms.
The DMA requires that:
users must have the choice to opt in to such tracking
refusal must not result in degraded service
cookie banners and consent tools be clear, user-friendly, and fully compliant
cookie choices be respected across sessions
users can easily withdraw consent
Failure to comply with the DMA can result in significant penalties, including:
Fines of up to 10% of a company’s global annual turnover, or up to 20% for repeated infringements
Periodic penalty payments of up to 5% of daily turnover for continued non-compliance
In extreme cases, the European Commission may impose structural remedies, such as requiring a company to divest parts of its business
Compliance with the DMA can be achieved by taking a few key actions:
Review data practices for consent:
Ensure that you obtain explicit, informed consent before storing or accessing non-essential cookies. Pre-ticked boxes and implied consent are non-compliant
Provide clear choices:
Allow users to accept or reject different categories of cookies without influencing their choice and make consent withdrawal transparent
Ensure a symmetrical user experience:
Make “reject all” as easily accessible as “accept all” without burying the options under multiple clicks or with confusing wording
Avoid dark patterns and bundling:
Make sure that consent can be freely given, specific and not conditional
Implement consent management:
Platforms like CookieHub provide an easy way to manage consumer consent for data processing
Staying compliant is not only a legal obligation but also a competitive necessity.
A comprehensive consent management platform like CookieHub can help businesses comply with the DMA by providing tools to collect, manage, and document valid user consent in a transparent, GDPR-aligned manner—ensuring users have clear, granular choices and the ability to withdraw consent at any time.
The DMA targets large online platforms acting as “gatekeepers” to ensure fair competition and prevent anti-competitive practices in the digital market across the EU. It applies to major tech companies that provide core platform services like search engines, social networks, app stores, and online marketplaces.
A gatekeeper is a large online platform that controls access to important digital markets and acts as a critical gateway between businesses and users. These platforms have a strong economic position, a significant user base, and operate core platform services such as app stores, search engines, social networks, or online marketplaces. The DMA sets specific criteria to identify gatekeepers based on their size, user numbers, and impact on the internal market.
Personal data refers to any information relating to an identified or identifiable individual, such as names, email addresses, location data, or online identifiers, that platforms may collect, process, or use in their services.
Sensitive data includes personal information that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health information, or data concerning a person’s sex life or sexual orientation.
The European Commission is the primary regulatory authority responsible for enforcing the DMA and overseeing compliance across the EU member states.
The DMA rules apply specifically to gatekeepers that meet certain thresholds related to size and market impact. Smaller digital platforms and companies that do not meet these criteria are exempt from the DMA regulations.
More detailed information and official documents can be found on the European Commission’s website dedicated to the Digital Markets Act.
©2025 CookieHub ehf.
